Verify the verifier

Asset manifest

Each row is one asset the verifier loads. The SHA-256 is the hex digest of the raw bytes served from verify.carvetrace.com as of the date above.

How to verify

You verify two things : (a) that the assets your browser executes match the hashes above, and (b) that the hashes above match the source code of the verifier itself. Both checks are open to anyone.

(a) Match the live assets to the manifest

Open a terminal and run :

for path in \
  / /main.js /style.css \
  /pkg/carvetrace_verify_wasm.js \
  /pkg/carvetrace_verify_wasm_bg.wasm
do
  curl -s "https://verify.carvetrace.com$path" | sha256sum
done

Each line should match a SHA-256 row above. If a line does not match, treat it as a security event — file a report and do not rely on the live verifier until it's resolved.

(b) Build the verifier yourself and compare

The verifier source code is open under Apache 2.0 at github.com/aryamind-tech/carvetrace-verify-wasm. Build it locally :

git clone https://github.com/aryamind-tech/carvetrace-verify-wasm
cd carvetrace-verify-wasm
# Required : Rust 1.79+ with wasm32-unknown-unknown target, wasm-pack, binaryen.
wasm-pack build --release --target web --out-dir web/pkg
# wasm-opt -Oz the bundle as the deploy pipeline does (see DEPLOYMENT.md).
wasm-opt -Oz web/pkg/carvetrace_verify_wasm_bg.wasm \
  -o web/pkg/carvetrace_verify_wasm_bg.wasm
# Now compare :
sha256sum web/pkg/carvetrace_verify_wasm_bg.wasm

The hash should match the WASM row above. If it doesn't, your build tooling differs from the deploy pipeline ; check the wasm-pack and wasm-opt versions against the deploy workflow.

What this protects against

• Adversary serves a tampered verifier from the same URL. Your check (a) catches it : the served hash diverges from this manifest.
• Hidden modification at build time. Your check (b) catches it : you build from source and compare.
• Cloudflare account compromise. If an attacker re-deploys malicious assets through CarveTrace's CF account, this manifest doesn't change (we sign the deploy commit on the marketing-site repo). Diverging assets → security report.
• This manifest itself being tampered with. This page is statically built from aryamind-tech/carvetrace-site. If we replaced the hashes here to cover an attack on the verifier, the deploy commit on carvetrace-site would show that change — and you can build the marketing site yourself and compare.

Release history

Material hash changes are logged below ; routine updates are not individually listed (each commit on carvetrace-verify-wasm or carvetrace-site is the canonical log).

• 2026-06-17 — Manifest initial publication. Verifier WASM at d6052bd5…, 491,776 bytes. Corresponds to verify-wasm main branch as of 2026-06-04.
• 2026-05-26 — Verifier verdict-label refactor (TD-WASM-VERDICT-LABEL closed, 7 producer-identity rejection sites refactored from build_as_error → fail+build). Visual no-op for the manifest format but the binary changed.
• 2026-05-21 — verify.carvetrace.com custom-domain bind to Cloudflare Pages. Verifier-of-record (WASM) became production-canonical.